System Health and Intrusion Monitoring System Health and Intrusion - - PowerPoint PPT Presentation

system health and intrusion monitoring system health and
SMART_READER_LITE
LIVE PREVIEW

System Health and Intrusion Monitoring System Health and Intrusion - - PowerPoint PPT Presentation

Sep 04, 2023 184 likes •465 views

Advanced Security Research System Health and Intrusion Monitoring System Health and Intrusion Monitoring Using a Hierarchy of Constraints Using a Hierarchy of Constraints Calvin Ko Calvin Ko , Network Associates, Inc. NAI Labs , Network

slide-1
SLIDE 1

Advanced Security Research

System Health and Intrusion Monitoring Using a Hierarchy of Constraints System Health and Intrusion Monitoring Using a Hierarchy of Constraints

Calvin Ko Calvin Ko

NAI Labs NAI Labs,

, Network Associates, Inc.

Network Associates, Inc.

Jeff Rowe Jeff Rowe

University of California, Davis University of California, Davis

October 2001

slide-2
SLIDE 2

RAID 2001-2

Advanced Security Research

Abstract IDS Model Abstract IDS Model

Rules

ID Engine

Audit Data

(e.g., Kernel Audit trails, Network packets, Syslog, …)

Intended/Expected Behavior Attacks / Vulnerabilities Historical Behavior

Result

Detect actions by the attackers Detect effect/manifestation of the attacker’s actions

slide-3
SLIDE 3

RAID 2001-3

Advanced Security Research

System Health and Intrusion Monitoring (SHIM) System Health and Intrusion Monitoring (SHIM)

  • Extend existing specification-based detection work
  • Employ a hierarchy of constraints/specifications

– describe healthy/correct operation of a system – capture static behavior, dynamic behavior, time- dependent behavior of different components at different levels of abstraction – detect manifestations of attacks or security errors regardless of the cause

  • Utilize data at all levels

– network, host, OS kernel, application

  • Reason about the specifications
slide-4
SLIDE 4

RAID 2001-4

Advanced Security Research

Top Level Threats addressed by SHIM Top Level Threats addressed by SHIM

  • Remote-to-Local, Remote-to-Root
  • User-to-Root
  • Insider

– exceeding his/her privileges – misusing his/her privileges

  • Trojan Horses
  • Denial of Services
  • Masqueraders & Probing
  • Privileged processes

– setuid root programs, servers/daemons, administrator processes

slide-5
SLIDE 5

RAID 2001-5

Advanced Security Research

Constraint Model Constraint Model

System Services System-wide Host Programs and Network Protocols Applications

Operational Integrity Resource Usage Access Data Integrity Temporal/Interaction

slide-6
SLIDE 6

RAID 2001-6

Advanced Security Research

Constraint Development Constraint Development

Attack / Vulnerability Models Configuration, historical behavior, & system policy Constraints Functionality & System Semantics Security Policies, Design Principles Hierarchical Constraint Model Higher Level Constraints

slide-7
SLIDE 7

RAID 2001-7

Advanced Security Research

Roadmap Roadmap

  • Technical objective
  • Approach and Rationale
  • Useful types of constraints
  • Program constraints
  • Protocol constraints
  • High level constraints
  • Ongoing and Future Work
slide-8
SLIDE 8

RAID 2001-8

Advanced Security Research

Useful Types of Constraints Useful Types of Constraints

  • Policy on Users

– Files a user can access – Resources a user is allowed to possess

  • Protocol Specifications -- operational view

– Defines allowable transitions – Defines allowable time in a given state

  • Protocol Specifications -- message content

– Mappings delivered by DNS should accurately represent view of authoritative router – IP addresses are not spoofed

slide-9
SLIDE 9

RAID 2001-9

Advanced Security Research

Useful Types of Constraints (cont.) Useful Types of Constraints (cont.)

  • Protocols -- Invariant and assumptions

– IP Routers approximate Kirchoff’s law – Packets are not sniffed by third-party – Packet source must be a non-congested/non-DOSed host

  • Programs -- valid access constraints

– Programs access only certain objects

  • Programs - Interaction constraints

– program interaction should not change the semantic

  • Data Integrity

– e.g., passwords, other authentication information – authorization information, process table

slide-10
SLIDE 10

RAID 2001-10

Advanced Security Research

Access Constraints for Programs Access Constraints for Programs

  • Can Detect

– remote users gain local accesses – local users gain additional privileges – Trojan Horses

  • Work well for many programs, e.g., passwd, lpr,

lprm, lpq, fingerd, at, atq, …

  • Some program can potentially access many files,

e.g., httpd, ftpd

– break the execution into pieces (or threadlets). Define the valid access for each threadlets. – Threadlet defined by transition operations

slide-11
SLIDE 11

RAID 2001-11

Advanced Security Research

Component-Specific Constraints Component-Specific Constraints

  • Privileged programs

– e.g., Ftp daemon

  • Read files that are world readable
  • Write files that are owned by the user
  • Execute only /bin/ls, /bin/gzip, /bin/tar, /bin/compress
  • Critical Data

– E.g., The password file in a Unix system should be in the correct form and each user should have a password.

slide-12
SLIDE 12

RAID 2001-12

Advanced Security Research

General Constraints General Constraints

  • A privileged process should discard all its privileges and

capabilities before it gives control to a user.

  • The temporary file for a program should be accessible only

by the program execution and should be removed when the program exits

  • An application should read only configuration files owned

by the user that it is running as

slide-13
SLIDE 13

RAID 2001-13

Advanced Security Research

Prototype SHIM Host Monitor Prototype SHIM Host Monitor

Linux or Solaris Kernel

Agile Kernel Auditor SHIM Compiler

Constraints / Specifications SHIM Analyzer Module

SHIM SHIM Monitor Monitor

Other sources

Control

SHIM Analyzer Modules

slide-14
SLIDE 14

RAID 2001-14

Advanced Security Research

Protocol Constraints Protocol Constraints

  • Address Resolution Protocol (ARP)

– For mapping between the Ethernet layer and the IP layer – Hosts on the network query all machines for their Ethernet-to- IP assignments before sending to a new IP address. Hosts typically keep a local list of mappings ( the ARP cache ) to avoid repetitive queries

  • ARP Cache Poisoning

– Unsolicited Response – Bogus Request – Bogus Response – Both a spurious Request and a spurious Response

slide-15
SLIDE 15

RAID 2001-15

Advanced Security Research

An ARP Specification An ARP Specification

i reply_wait cached ARP Request ARP Response ARP cache timeout ARP Request

slide-16
SLIDE 16

RAID 2001-16

Advanced Security Research

Unsolicited ARP Response Unsolicited ARP Response

  • ARP reply will be accepted by a victim machine, even

though it hasn’t sent a request.

  • Sending a arbitrary IP to Ethernet mapping will poison the

victim’s ARP cache.

  • Sending an unsolicited response to the broadcast Ethernet

address poisons the cache of all machines (Solaris, Windows, Linux).

ARP REPLY to victim blanc.cs.ucdavis.edu IS-AT 08:00:20:23:71:52

slide-17
SLIDE 17

RAID 2001-17

Advanced Security Research

Bogus ARP Request Bogus ARP Request

  • ARP implementations cache entries based upon

broadcast requests.

  • Even if the host isn’t involved in any resolution

their cache will update with the information contained in third-party requests.

  • Sending out an request with bogus sender

information poisons everyone’s cache.

ARP REQUEST WHO-HAS olympus.cs.ucdavis.edu TELL blanc.cs.ucdavis.edu at 08:00:20:23:71:52

slide-18
SLIDE 18

RAID 2001-18

Advanced Security Research

An ARP Specification An ARP Specification

i reply_wait cached ARP Request ARP Response ARP cache timeout alarm Unsolicited ARP Response Bogus ARP Response Malformed Request ARP Request

slide-19
SLIDE 19

RAID 2001-19

Advanced Security Research

ARP Monitor Implementation ARP Monitor Implementation

  • Built on the snort open-source IDS platform
  • Uses the snort preprocessor plug-in feature
  • No measurable difference in baseline IDS performance due

to the low volume of ARP traffic.

  • Single ARP correctness specification catches

all five ARP vulnerabilities

slide-20
SLIDE 20

RAID 2001-20

Advanced Security Research

A DHCP Specification A DHCP Specification

  • Dynamic Host Configuration Protocol (DHCP)

– provides centralized management of client workstation configuration parameters – Distributed servers cooperatively allocate client parameters, even across sub-networks.

  • DHCP typically configures

– IP address allocation – Gateway router address – DNS servers

slide-21
SLIDE 21

RAID 2001-21

Advanced Security Research

DHCP Messages DHCP Messages

From Server Message Use

  • DHCPOFFER

Server to client in response to DHCPDISCOVER with offer of configuration parameters.

  • DHCPACK

Server to client with configuration parameters, including committed network address.

  • DHCPNAK

Server to client indicating client's notion of network address is incorrect (e.g., client has moved to new subnet) or client's lease as expired From Clients Message Use

  • DHCPDISCOVER Client broadcast to locate available servers.
  • DHCPREQUEST Client message to servers either (a) requesting offered parameters

from

  • ne server and implicitly declining offers from all others, (b)

confirming correctness of previously allocated address after, e.g., system reboot, or (c) extending the lease on a particular network address.

  • DHCPDECLINE

Client to server indicating network address is already in use.

  • DHCPRELEASE

Client to server relinquishing network address and cancelling remaining lease.

  • DHCPINFORM

Client to server, asking only for local configuration parameters; client already has externally configured network address.

slide-22
SLIDE 22

RAID 2001-22

Advanced Security Research

DHCP Protocol Misuse DHCP Protocol Misuse

  • DHCP built upon UDP making IP spoofing trivial.
  • DHCP traffic is passed by routers and can traverse remote

networks

  • Denial-of-Service

– Fake client DHCPRELEASE causes server to assign same IP address to multiple clients. – Multiple fake DHCPREQUEST messages consume all available IP addresses.

  • Falsification of network services

– Fake DHCP server feeds clients false gateway router address for DOS or to intercept traffic. – Fake DHCP server feeds clients a false DNS server and supplies it’s

  • wn malicious mappings.
slide-23
SLIDE 23

RAID 2001-23

Advanced Security Research

Init-Reboot Init Rebooting Selecting Requesting Rebinding Bound Renewing

  • /Send DHCPREQUEST

DHCPACK/Record lease, set T1, T2 DHCPNAK/Restart DHCPNAK/Discard Offer DHCPAK(not accepted)/Send DHCPDECLINE

  • /Send DHCPDISCOVER

DHCPOFFER/Collect Offers Select Offer/Send DHCPREQUEST DHCPOFFER/ Discard DHCPACK/Record lease, set T1, T2 DHCPNAK/Lease expired DHCPACK/Record lease, set T1, T2 DHCPOFFER, DHCPACK, DHCPNAK /Discard T1 Expires/Send DHCPREQUEST DHCPACK/Record lease, set T1, T2 T2 Expires/ Broadcast DHCPREQUEST DHCPNAK/Halt Network

DHCP Protocol DHCP Protocol

slide-24
SLIDE 24

RAID 2001-24

Advanced Security Research

DHCP Protocol Monitor DHCP Protocol Monitor

  • DHCP protocol monitor is implemented as a Snort

IDS plug-in.

  • Based upon the DHCP client state diagram
  • Monitors for DHCPRELEASE messages
  • Monitors for multiple server replies indicating the

presence of a rogue DHCP server.

slide-25
SLIDE 25

RAID 2001-25

Advanced Security Research

High-Level Constraints High-Level Constraints

  • Concerned with the system or a services
  • May not be directly detectable, need to project

down to lower-level constraints

  • e.g., Only valid users can login from valid remote

hosts.

  • Combining host-based and protocol constraints
slide-26
SLIDE 26

RAID 2001-26

Advanced Security Research

Projections Projections

Only authorized remote user can rlogin to a host rlogind allows

  • nly authorized

attempt Remote host not compromised Rlogin packet came from the true remote host DNS name not spoofed IP address not spoofed ARP address not spoofed

slide-27
SLIDE 27

RAID 2001-27

Advanced Security Research

Ongoing and Future Work Ongoing and Future Work

  • Investigate constraints for other components
  • Projections of constraints
  • Verification of constraints
  • Interaction constraints
  • High level constraints